Hi Randy, So first, I'd recommend trimming your pcap to only include the eicar.com request. You have over 2600 packets in that pcap and that makes testing much more difficult since your actual test traffic is less then 1% of that.
Second, I'm not sure I fully understand your test bed. How does your virtual security appliance "see" the eicar.com file? Have you confirmed that this appliance sees all the traffic? Third, your statement about an "eicar server" is a red flag for me. That sounds like you expect tcpreplay to make a HTTP connection to your server. Tcpreplay can not do that. It can only pretend to be *both* the client and server. If you need to connect to a server, then tcpliveplay is the correct tool. Regards, Aaron -- Aaron Turner http://synfin.net/ Twitter: @synfinatic Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin On Tue, Apr 14, 2015 at 7:03 AM, Randy Sanginario <randy.sangina...@gmail.com> wrote: > Hi There, > > I am trying to replay the following pcap file in a private subnet of mine > for testing purposes. The pcap was captured on a guest (call it Win7-a)in > my vmWare cluster and replayed from another guest in the same cluster. All > of my guest virtual machines in the cluster are Windows7 clones setup with > one NIC (eth0). To replay the pcap I run "tcpreplay -i eth0 -K --loop1 > mytestpcap.pcap. The pcap pretty much contains a GET to download an eicar > virus file. I'm am trying to see that with our security virtual appliance > catches the virus but this does not seem to happen when I replay. It is my > understanding that I don't have to run tcpreplay from the source machine it > self (I.e. Win7-a). I've run tcpreplay and re-captured the traffic and all > looks good there but again the traffic should flow from Win7-a through my > security virtual appliance and to the eicar server. However the fact that > the virus is not being detected tells me there is something that I am not > understanding. When I execute this test by hand (i.e. accessing the > eicar.com.txt virus) from Win7-a, the security virtual appliance does > catch/block the threat. I should note that I did not do any tcpprep or > tcprewrite work on this pcap. > > Any help on this matter would be greatly appreciated as I would love to use > this tool to drive many pcaps through my cluster for the sake of persistence > testing. > > Thanks much. > > randy > > > > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
